"He who receives an idea from me receives it without lessening me, as he who lights his candle at mine receives light without darkening me." - Thomas Jefferson

Two new releases for Auth_phpBB

By root - Published: March 3, 2008

There are two new releases for the Auth_phpBB plug-in.

Changes in 3.0.3
Fixed a potential SQL injection security hole.
Added support for multiple Wiki Groups.

Changes in 2.7
Fixed a potential SQL injection security hole.

First the added support for multiple Wiki Groups. This feature has been requested for a while now and I have added the code to support it.

In your LocalSettings there is a

$wgAuth_Config['WikiGroupName'] = 'Wiki';

This can now also be set to an array of group names to use more then one.
You can do this by either putting all the group on their own line like so.

$wgAuth_Config['WikiGroupName'][] = 'Wiki';
$wgAuth_Config['WikiGroupName'][] = 'Wiki2';

or you can set $wgAuth_Config['WikiGroupName'] to an array as follows.

$wgAuth_Config['WikiGroupName'] = array('Wiki', 'Wiki2');

Either way works.

Next is the potential SQL injection security hole. I've updated both the 3.x and 2.x line to prevent what could potentially be a SQL injection hole. I say potentially because in the environments I have the exploit does not work. It should but it doesn't. I honestly think MW cleans its input and it stops the exploit from working. So the code changes was done as a best practice change and in the event that in another environment the exploit does work. A thanks goes out to Thomas Bleher for reporting this.

[Update 03/24/08] - Due to the MySQL method I was using the reported exploit would have never worked.


By root - Published: December 27, 2007

I have just posted Auth_phpBB 3.0.2 in the download section. With this release the plug-in should work with phpBB3.

NOTE: Version 3.x of the plug-in requires MediaWiki 1.11.x, phpBB3 and PHP5.

« PreviousNext Page